0

Which HMAC scheme is more secure? Or are they of the same level of security?

Scheme One

  • Compute a HMAC on the data to encrypt (cleartext/plaintext)

  • Encrypt the data with AES_CTR_256, and append above HMAC to end of ciphertext

Scheme Two

  • Compute a HMAC on the data to encrypt (cleartext/plaintext)

  • Encrypt the data with AES_CTR_256, and append above HMAC to end of ciphertext

  • Compute another HMAC on the ciphertext_HMAC combo and append it; ciphertext_HMAC_HMAC

And also, would using the same HMAC key be secure for scheme two?

Community
  • 1
Legorooj
  • 474
  • 5
  • 16

1 Answers1

2

The first scheme is similar to what's called Encrypt-and-MAC. It is not ideal, but it is not fatally broken, and it is still used by the SSH protocol securely. You need to include a counter or other unique value in the data being MACed to maintain IND-CPA security (i.e. identical plaintexts don't have identical MACs).

The second scheme you present doesn't really make sense. I can't see what benefit it would provide. Generally, you would want to use Encrypt-then-MAC, or EtM, a scheme where the plaintext is encrypted, the MAC is computed over the ciphertext and appended directly to it. EtM is a better scheme because it gives away no information about the plaintext, even if the MAC is broken. It also gives you the benefit of allowing you to discard a forged message without needing to decrypt it first, to prevent some attacks.

See also Should we MAC-then-encrypt or encrypt-then-MAC?

On a side-note, you should use AEAD instead. For AES, that means selecting an authenticated mode like GCM, which is both fast and secure. Although HMAC can be used safely, AEAD is usually better.

forest
  • 15,253
  • 2
  • 48
  • 103
  • Thanks for the answer - exactly what I was looking for. Out of curiosity, is the first scheme in the linked question (TLS scheme) safer than the one you describe in your answer? – Legorooj Sep 09 '19 at 06:59
  • 1
    @Legorooj No. Encrypt-then-MAC is better than MAC-then-Encrypt (see answers to the linked question). Note that TLS 1.3 doesn't use HMAC anyway. It uses AES in GCM mode (but CCM is also supported). – forest Sep 09 '19 at 07:00
  • Thanks, this solves my question. :-) – Legorooj Sep 09 '19 at 07:01
  • 1
    To be clear: Encrypt-and-mac using a deterministic MAC like HMAC is fatally broken in the sense that it breaks CPA security because it leaks equality of plaintexts. – Maeher Sep 09 '19 at 07:10
  • @Maeher Well that's why you need to use a random HMAC key. – forest Sep 09 '19 at 07:13
  • While that would prevent the immediate attack, it's neither what encrypt-and-mac commonly refers to, nor what was described in the question. – Maeher Sep 09 '19 at 07:15
  • @Maeher Encrypt-and-MAC refers to computing MAC over the plaintext, then encrypting the plaintext, then appending the MAC value to the ciphertext, no? That's what OP is describing. – forest Sep 09 '19 at 07:18
  • Exactly, with a mac-key reused between ciphertexts. – Maeher Sep 09 '19 at 07:21